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VOIP vs. Firewalls 

from the July 2002 issue of Business Communications Review, p. 10 

by Eric Kra pf, managing editor of Business Communications 
Review 

Enabling voice over IP (VOIP) to pass through a corporate 
firewall without endangering network security is shaping 
up to be a major challenge. Most of the firewalls installed 
today require network managers to open up yawning 
gaps in the firewall if VOIP is to get through, and while 
new solutions are emerging, they present their own 
problems. 

Opening Ports 

Firewalls protect a local or campus network by blocking 
incoming traffic based on application port numbers. The 
standard approach is to close all ports except those the 
enterprise specifically needs to keep open— e.g., for HTTP 
(Web) traffic. In legacy firewalls, open ports can only be 
closed via manual configuration. 

But if you want to let VOIP traffic move from a public IP 
network onto your premises, you have to leave lots of 
ports open, explained Gary Audin, president of 
consultancy Delphi, Inc. For each voice conversation, two 
TCP or UDP ports have to be opened to allow H.323 or 
Session Initiation Protocol (SIP) signaling— one port for 
each direction. Then, for the voice traffic itself, two UDP 
ports must be opened and, optionally, two more UDP 
ports may be opened for Real-Time Control Protocol 
(RTCP), which monitors performance. 

The VOIP ports run in sequences starting with Port 1024, 
which is a talk port, then 1025 to monitor 1024, then Porl 
1026 to listen, 1027 to monitor 1026, and so on, Audin 
explained. 
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Note that 2-4 UDP ports must be open for the duration 
of each call. If you need to support more than one 
simultaneous phone call, you'll have to open up a pool of 
many more ports. "You can create a blocking 
environment at your firewall if you run out of ports that 
are in your pool," Audin said. 

And of course, the more ports you open up, the more 
you expose your internal network to attack. The solution 
that firewall vendors have hit on is to enable VOIP ports 
to be kept closed, then opened dynamically when traffic 
needs to get through, and closed once the call is torn 
down. This requires the firewall to understand enough of 
the VOIP call control to know which ports each call will 
use. 



Dynamic Port Opening 

Several firewall vendors, including Cisco, Che ck Point, 
Aravox and Ingate, enable dynamic port opening on their 
devices. Most support both H.323, the control protocol 
that's most common today, as well as SIP, which is 
expected to dominate eventually. 



The natural concern in dynamic port opening is 
performance. Audin believes the negotiation process for 
dynamically opening ports will add delay and produce 
jitter, both of which can be serious issues with VOIP. 
Vendor representatives such as Bill Jensen, product 
marketing manager at Check Point, insist performance 
isn't an issue, even for his company's firewalls, which 
are software- rather than hardware-based. "On some of 
our appliances we're getting 3 Gbps of throughput," he 
said. "We can handle the throughput that's needed." 



However, the issue may not be simply one of packet 
throughput and its effect on voice quality. Opening a 
port means updating the firewall's policy, and there isn't 
much of a time window in which to accomplish this. In a 
white paper, Dr. Andrew Molitor, chief scientist and co- 
founder of Aravox, noted that, in VOIP, voice packets 
follow very quickly on the heels of the control packets, 
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so "the firewall must be able to receive, install and 
acknowledge a policy change request in a matter of a 
few milliseconds" so that the port will be open when the 
voice packets start arriving. 

And that's to make sure an individual call goes through. 
The firewall's processing must also be able to support 
enough simultaneous policy updates to handle the 
offered load of calls at the peak busy hour, Molitor 
added. 

Organizational Issues 

There are also non-technical issues. Just as the voice 
and data organizations within an enterprise must work 
together on VOIP implementations, there'll also need to 
be greater cooperation between those in charge of voice 
and those who specialize in network security. That won't 
necessarily be a smooth ride. 

From the security manager's perspective, getting voice 
people involved in the details of firewall management 
could be uncomfortable, noted Check Point's Bill Jensen. 
"There's some trust issues there. ...You know security. 
The person doing voice over IP, who is often on the telco 
side of the business, doesn't necessarily have the depth 
of knowledge." 

Likewise, Audin said the subject comes up in his training 
classes: "They're very chagrined, because they're mostly 
voice people, and they say: You mean I have to get 
involved with the security people for this? The answer is 
yes." 

And when the subject is security, it's not necessarily a 
petty turf battle; enterprises with highly sensitive data 
want to keep everything relating to security on a need- 
to-know basis. "Here's an image for you," Audin said. "At 
Merrill Lynch, they got so paranoid that when they put in 
a firewall, they would tell the IP people to lay the cable 
on the floor; [the security staff] would come in at night 
and hook it up so you wouldn't even know who the 
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[security] people were." 



Conclusion 

Audin believes that VOIP firewalls haven't become a 
huge issue yet because of how companies are migrating 
toward VOIP: Many are either using private IP trunking 
for wide-area VOIP— "essentially a tie-line replacement 
between two PBXs"— or they're implementing only on the 
LAN side. In these scenarios, there's no VOIP traffic 
moving from an untrusted to a trusted network, and so 
firewall traversal doesn't become an issue. 

"A lot of people have avoided it, just by not knowing 
they were avoiding it. They simply did one piece of VOIP, 
which essentially said firewalls weren't really necessary." 
Audin said. "The second or third stage of convergence 
really brings in the firewall problem." 
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Abstract of WO03067363 

A mechanism is disclosed for facilitating the 
performance of communication services in a 
communication network. An enhanced proxy 
server receives a signaling message and proxies 
the message to an application server. Further, 
the enhanced proxy server responds to the 
message by extracting a set of data from a data 
store and making the set of data available for use 
by the application server in responding to the 
signaling message. Similarly, a registration 
server may receive a signaling message from a 
communicating entity and may responsively 
make data available for use by an application 
server in responding to signaling messages 
regarding the communicating entity. 
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Abstract of JP1 1065861 

PROBLEM TO BE SOLVED: To provide the 
device which performs service session control 
whatever decentralized OS environment a 
client is in. SOLUTION: Service session 
gateways 4 and 6 are provided between a 
server 1 and a session session control part 5, 
and a client 2 and the service session control 
part 5. If the client 2 is not initially in 
decentralized OS environment and the service 
session control part 5 performs control in 
decentralized OS environment, the service 
session gateway 6 converts a session control 
signal from the client 2 into a session control 
signal of the decentralized OS environment 7 
based upon the decentralized environment. 
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Symantec's Symantec Gateway Security, TippingPoint ' s UnityOne, and 
IntruVert Networks 1 IntruShield are integrated appliances that combine 
multiple security measures. Vendors are beginning to combine 
firewalls, intrusion detection systems (IDSes) , and other security 
technologies that can operate together. Low-end, all purpose devices, 
including Gateway Security Appliance, are an excellent choice for small- 
and mid-sized businesses (SMBs) . Gateway Security Appliance and similar 
devices provide almost plug-and-play deployment and easy management, but do 
not have throughput, and their IDS signature databases are relatively small 
and non-changing. Integrated appliances such as UnityOne and IntruShield, 
provide protection against anomaly signature attacks by inspecting data 
packets for questionable attributes and behaviors and with the ability to 
automatically drop connections and shut down ports. With a 
single-component appliance, complexity and overhead are reduced, which 
reduces staffing requirements, but one drawback is easier hacking and 
cracking. Symantec also plans an enterprise-level version of Gateway, which 
uses technologies acquired with Riptech, SecurityFocus , MountainWave 
Technologies, and Recourse Technologies. UnityOne provides a firewall 
, IDS, and malware protection, but speed is up to 2Gbps . NetScreen 
Technologies has purchased OneSecure, and might add the latter technology 
to NetScreen f s firewall/VPN offerings. 

COMPANY NAME: Symantec Corp (386251); 3Com Corp (125105); McAfee Inc 

(490113) 
SPECIAL FEATURE: Charts 

DESCRIPTORS: Computer Security; Firewalls; Internetworking; 

Intrusion Detection; Network Administration; Network Software; System 

Monitoring 
REVISION DATE: 20031030 



3 



10/678,779 

7/9/2 

DIALOG (R) File 2 : INSPEC 

(c) Institution of Electrical Engineers. All rts. reserv. 

08782068 INSPEC Abstract Number: B2003-12-81 10C-035, C2003-12-6130S-057 

Title: Application of OPSEC in network security management for power 
enterprises 

Author (s): Huang Tianshu; Sun Fuxiong; Xiang Jidong; Yu Jingsong 
Author Affiliation: Wuhan Univ., China 

Journal: Automation of Electric Power Systems vol.27, no. 13 p. 54-7 
Publisher: State Power Corp. of China, 

Publication Date: 10 July 2003 Country of Publication: China 

CODEN: DXZIE9 ISSN: 1000-1026 

SICI: 1000-1026(20030710) 27: 13L. 54: A0NS;1-F 

Material Identity Number: C804-2003-017 

Language: Chinese Document Type: Journal Paper (JP) 

Treatment: Applications (A) 

Abstract: As a kind of commonly used product of network security, the 
network firewall is not capable of meeting all actual needs and 
special occasions of power enterprises. Then the users have to resort to 
other security software or develop it by themselves. Hence for the 
enterprise security system, the problem of how to integrate the new 
software with the current network security system into an organic whole is 
studied. Taking such commonly used hacker attack methods of DDOS, Trojan 
horses and Port -Scan as research objects, under the development 
environment of open platform for secure enterprise connectivity (OPSEC) and 
by use of the communal interface provided by OPSEC, a development practice 
is introduced, in which the designed security software for automatically 
detecting invasion and alarming is embedded in an OPSEC supporting 
enterprise firewall as an extensive firewall management module, 
together with the old firewall management module to defend hacker 
attacks. (5 Refs) 
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SecurVantage from Securify is a network security monitoring tool that 
automates the discovery of traffic that runs over a network. For systems 
with large numbers of applications using undocumented ports, 
SecurVantage is a fast and reliable method for establishing what the 
traffic pattern should be, and then monitoring network activity on 
firewalls, routers, authentication and authorization software, and so 
forth. If SecurVantage detects unusual activity, it sends an 
alert. Electronic Data Systems (EDS) uses SecurVantage to secure the 
Navy-Marine Corps Intranet, which uses more than 70,000 applications. 
SecurVantage provided EDS with the necessary traffic information, which 
ports and protocols the 70,000 applications use, so that EDS could 
secure this large network. After Navy policies were enforced, SecurVantage 
monitored for any unusual traffic. Other companies that provide 
network security monitoring tools include CyberGuard, Internet 
Security Systems, and Symantec. 
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Tech Success: EDS secures NMCI with Security 

By JOAB JACKSON 

Network monitoring tool helps identify many legacy applications 

Electronic Data Systems Corp. in August awarded Securify Inc. a two-year, $5.8 
million contract to help resolve a challenge the integrator had grappled with for almost 
three years: how to secure a huge network rife with legacy applications. 

In October 2000, when EDS of Piano, Texas, won the eight-year, $6.9 billion contract 
to create the Navy-Marine Corps Intranet for more than 400,000 sailors and Marines, 
it faced the problem of integrating, at last count, more than 70,000 applications, 
according to Steve Vetter, a director of strategic planning for EDS. 

For a network to run smoothly, the security team must know which ports and 
protocols the network applications use to communicate, so when viruses or unwanted 
visitors hit the network, they will be easily identified as errant. But with so many out- 
of-date and home-built applications running, many with unusual settings, making a list 
of what traffic was supposed to be on the network would be challenging. 

"We've been wrestling with this problem. There are no silver bullets, but [Securify] 
was the closest thing we found," Vetter said. 

Security's SecurVantage security monitoring software can be used by integrators as 
well to help manage large networks, said Carl Wright, a former procurement officer for 
the Marines, and vice president of federal operations for Securify of Mountain View, 
Calif. 

The field of network security monitoring tools is competitive, with contenders such as 
CyberGuard Corp., Internet Security Systems Inc. and Symantec Corp. Security's 
competitive advantage is the wide breadth of network attributes that it monitors, 
Wright said. The software keeps tabs on everything from the host ports to whether 
someone is using an up-to-date public key infrastructure certificate. 

Installed at the boundaries between NMCI and other military networks, SecurVantage 
will help EDS and the Navy in two ways. 

First, the Navy and EDS can automate discovering the types of traffic that usually run 
over network. On complex systems, this discovery process can be time-consuming. In 
many cases, the documentation for the Navy's legacy programs - for those programs 
with documentation - is not accurate. 

"Many systems engineers made changes to applications, such as changing the ports 
used," and such changes were not updated in the documentation, Vetter said. 
Therefore, the only way EDS could determine how an application used a network 
would be to watch the behavior of that application in action. 

SecurVantage can automatically characterize the traffic "flowing through" a network 
and give EDS officials a summary. EDS has begun to deploy it in this discovery 
process in selected Navy networks. 

Once traffic is characterized and modified to conform to Navy standards, the software 
can monitor the network to watch for unusual activity. The software watches activity 
on firewalls, virus protection software, virtual private networks, routers and 
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If the traffic characteristics do not match what is authorized to go over that network, 
SecurVantage will alert EDS network administrators of the rogue communications. 
EDS, in turn, submits reports to the Navy's electronic warfare command. 

With 50 employees, Security was founded in 1998 as a consulting company, by ex- 
Netscape Corp. chief scientist Taher Elgamal. The company's product suite grew out 
of the tools the company developed internally to help financial institutions get a 
handle on the traffic flowing through their networks. 

Today, government makes up about 80 percent of the private company's sales, with 
financial services accounting for most of the rest. The company does not divulge 
sales figures; however, research company Hoover's Inc., Austin, Texas, estimates 
Securify's 2002 sales at about $10 million. 

Other government clients include the Defense Information Systems Agency, which 
uses Securify's products to secure command and control networks. In addition to the 
EDS deal, the Navy also uses Securify products for its own responsibilities in 
maintaining NMCI. Government-focused integrator partners include Artel Inc., Reston, 
Va., and Washington-based professional services company Centerprise Advisors Inc. 

Integrators can use Securify to estimate more accurately how much work a potential 
contract could cost to implement, Wright said. The software can quickly build a 
characteristic of the traffic on that network, giving the integrator a clear picture of how 
much work will be needed to meet specifications. This information can help 
integrators estimate how much to bid for the work. 

It also helps integrators merge networks. The NMCI project, for instance, involves 
combining many smaller office and base networks. 

"What we do is help mitigate the complexity of large enterprise transitions by 
providing information based on real operational data," Wright said. 

If you have an innovative solution that you recently installed in a government agency, 
contact Staff Writer Joab Jackson at jjackson@postnewsweektech.com. 
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Abstract: Firewall support for UDP traffic today is still insecure 
and inadequate. We propose in this paper a transport layer proxy (TLP) to 
provide a secure UDP firewall traversal service on the transport 
layer (the TLP supports TCP as well) . For each UDP association with 
endpoints separated by a TLP server, the TLP server performs user-level or 
host-level authentication, packet filtering, packet relaying, optional 
network address translation, session logging, timing-out of idle 
association, and other security-related functions. The core of the TLP is a 
two-step TLP binding procedure that makes a UDP association stateful 
between a TLP client and a TLP server. This binding procedure supports 
Active UDP Open, Passive UDP Open, and Source-Specific UDP Open, which a 
local program may perform on a UDP socket. (7 Refs) 
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Abstract: In a packet switching network, each communication channel is 

statistically shared among many traffic flows that belong to different 
end-to-end sessions. We present and prove a delay guarantee for the virtual 
clock service discipline (inspired by time division multiplexing) . The 
guarantee has several desirable properties, including the following 
firewall property: the guarantee to a flow is unaffected by the 
behavior of other flows sharing the same server. There is no assumption 
that sources are flow controlled or well behaved. We first introduce and 
define the concept of an active flow. The delay guarantee is then formally 
stated as a theorem. We show how to obtain delay bounds from the delay 
guarantee of a single server for different specifications. (15 Refs) 
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Abstract: Firewalls provide security by blocking intrusions into an 
enterprise network. But firewalls also produce performance problems 
and cause delay. Most firewalls are designed for data 
applications and are not application specific, though some firewall 
vendors (such as Checkpoint, Jasomi, Datapower, F5 and Sarvega) are moving 
toward packet content analysis (called deep packet inspection) . This is a 
move to more application-specific security, though even it does not yet 
cover voice over IP (VOIP) packet analysis. VOIP traffic requires real-time 
delivery, short delay , low jitter and low packet loss across 
networks. Data firewalls are not designed for real-time applications. 
Among other issues, they have difficulty dealing with network address 
translation (NAT) and VOIP signaling. A VOIP call uses either the TCP or 
UDP protocol with well-known application ports to set up a call. To 
deal with these issues, a few vendors have created a new class of product, 
the real-time firewall (RTF) , specifically designed to handle both 
data and real-time applications like voice and video over IP. The 
significant difference between data and real-time firewalls is their 
performance for video traffic. For many enterprises, the solution may be a 
separate application-specific real-time firewall (RTF) running in 
parallel to the existing data firewall , a hardware-rather than 
software-based devices. In this way, the VOIP traffic passes through a 
firewall specifically designed for its needs, while blocking data 
traffic. At the same time, the data firewall blocks VOIP signaling 
and traffic without penalizing the VOIP traffic. 
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Abstract (Basic) : JP 2004192044 A 

NOVELTY - A port monitoring processor (11) stores the 
identification (ID) number of client as access permit port 
number. When the port monitoring processor with a filter 
processor (13) determines that access situation of the port 
number carrying out the access is not matched with the stored ID number 
of the client, an access controller (14) changes the port number 
and notifies to the client (2) and server (3) . 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for the 
following : 

(1) server; 

(2) firewall system; and 

(3) recorded medium storing the port number change program. 

USE - Firewall for interrupting irregular access from the outside 
with respect to network system such as internet. 

ADVANTAGE - The security level of the firewall is improved. 

DESCRIPTION OF DRAWING (S) - The figure shows the block diagram of 
the firewall system. (Drawing includes non-English language text) . 
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port management table (12) 
filter processor (13) 
access controller (14) 
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Abstract (Basic) : FR 2806812 Al 

NOVELTY - Method of configuring a firewall (2) in a data system (3) 
having objects (4) . An access control protocol is put in place for the 
objects being called by resources (13) . Switching, for communication 
with the system, is controlled by imposing one or more network 
interfaces required for the passage of a communication between an 
origin resource and a destination resource. 

DETAILED DESCRIPTION - Access to firewall protected zones (5) is 
not allowed to interfaces being used whilst the communication process 
is being done. Extended ownership services are used to allow the 
addition of supplementary switching application criteria. These 
criteria, as a function of which communication passage is imposed, are 
the calling address, the called address, the application called, the 
calling user, an authentication type, an application period (time and 
date of access) , use level and/or an alert caused by a particular 
action associated with a particulate event. 

An Independent Claim is included for - A firewall configuration 
machine . 

USE - For access control to computer data systems 

ADVANTAGE - Designed to allow a firewall administrator to control 
the switching of data packets at firewall level as a function of 
various criteria such as source address and/or port numbers, for 
a user who requests access at a particular time and date. 

DESCRIPTION OF DRAWING (S) - The drawings shows a schematic of the 
firewall and system 

configuration machine (1) 

firewall (2) 

data system (3) 

objects (4) 

firewall protected zones (5) 
internal sub-network (6) 
demilitarized sub network (7) 
internet sub network (8) 
liaison sub network for firewalls (9) 
interfaces (10) 

firewall configuration machine (11) 
administrator (12) 
resources (13) 
graphical interface (14) 
compilation driver (15) 
tele-loading module (16) 



10/678,779 

7/9/5 (Item 5 from file: 350) 

DIALOG (R) File 350:Derwent WPIX 

(c) Thomson Derwent. All rts. reserv. 

013499930 **Image available** 
WPI Acc No: 2000-671871/200065 

Related WPI Acc No: 1999-458217; 2000-282810; 2000-490547; 2000-585979; 
2001-023206; 2002-105000; 2002-170856; 2004-830853 

XRPX Acc No: NOO-498038 

Firewall server service quality managing method used in internet, 
involves estimating bit rate over round trip time between source and 
receiver, based on which acknowledgment signal is transmitted or 
delayed 

Patent Assignee: UKIAH SOFTWARE INC (UKIA-N) 
Inventor: SAWHNEY S; VAID A 

Number of Countries: 001 Number of Patents: 001 
Patent Family: 

Patent No Kind Date Applicat No Kind Date Week 

US 6119235 A 20000912 US 9747752 P 19970527 200065 B 

■- ' US 97998332 A 19971224 

Priority Applications (No Type Date): US 9747752 P 19970527; US 97998332 A 

19971224 
Patent Details: 

Patent No Kind Lan Pg Main IPC Filing Notes 

US 6119235 A 14 G06F-011/30 Provisional application US 9747752 

Abstract (Basic) : US 6119235 A 

NOVELTY - The data source and receiver connection is classified 
into a traffic class. Bit rate over a round trip time between the 
source and the receiver is determined. The firewall server transmits 
and delays the acknowledgment signal to the source, when the bit rate 
is less than and exceeds the bit rate limit, respectively. 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for the 
following : 

(a) firewall server; 

(b) computer program product; 

(c) method for managing network traffic via a network 
USE - Used for manipulating and allocating bandwidth on a 

telecommunication network like internet, local area network, wide area 
network etc. 

ADVANTAGE - The telecommunication traffic including directory 
service and bandwidth management is managed at a single region that is 
the firewall server. The implementation into a pre-existing system, is 
relatively easy as the quality management method is predominantly 
software base which can be easily installed to the existing system. 

DESCRIPTION OF DRAWING (S) - The figure shows a simplified block 
diagram of a flowchart for the firewall server service quality managing 
method. 
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Abstract: Traditionally, firewalls and anti-virus programs try to 
block attacks, and intrusion detection systems (IDSs) identify attacks as 
they occur. Such techniques are crucial to network security, but have 
limitations. A firewall can stop attacks by blocking certain 
port numbers, but it does little to analyze traffic that uses allowed 
port numbers. IDSs can monitor and analyze traffic that passes 
through open ports , but do not prevent attacks. With the 
proliferation of sophisticated attacks and the discovery of new 
vulnerabilities, new methods are needed to protect precious data and 
network resources. Intrusion prevention systems (IPSs) use new proactive 
approaches that block attacks before damage is done. The article looks at 
the different approaches taken by IDSs and IPSs, including host-based IPS 
(HIPS) and network-based IPS (NIPS) . Firewalls, antivirus, IDS and 
IPS have their place in the security landscape, each with its unique 
features, and are not competing components. Bulletproof security does not 
exist. Security is a continuous process of monitoring, maintenance 
and modification, and no amount of automation can replace trained and 
vigilant personnel. Tools like IPS can provide a silver lining if not a 
silver bullet. 
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Abstract: VOIP poses two main challenges for firewalls: the need to 
deal with network address translation (NAT) , and the need to open 

lots of firewall ports to let VOIP through. A group of 
companies is taking on the challenge, each with its own solution. 
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Abstract: Network security has now become one of the most important 
aspects in computer systems and the Internet. Apart from strong encryption, 
there is no definite method of truly securing network, thus they must be 
protected at different levels of the OSI model. At the physical layer, they 
can be protected by lock-and-key, and at the data link, they can be 
protected within VLANS (virtual LANs) . With the network and transport 
layers, networks can be secured by firewalls, which monitor source 
and destination network addresses, and source and destination ports, 
respectively. At the session level, user names and passwords are be used. 
Unfortunately, all these methods can be prone to methods which can overcome 
the protection used. This paper expands the research previously undertaken 
on a misuse system based on the intelligent agent software technology. The 
system monitors user actions in real-time and take appropriate actions if 
necessary. Along with this our system uses a short-term prediction to 
predict the user behaviour and advises the system administrator 
accordingly, before the actual actions take place. This paper presents new 
results, which are based on an increased number of users. We tested our 
short-term prediction model, introduced the notion of intervention to our 
model, and found that the results are very close to the actual user 
behaviour. (2 Refs) 
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Abstract: Network scanning is an increasing threat to network security. 
This paper classifies and analyzes current scanning methods, and draws a 
conclusion that the current detection and protection of scanning mainly aim 
at information concealment. A novel system of the detection and protection 
named IEDP is presented in this paper Its concept is discussed and its 
implementation is described in details. Compared with the current 
approaches, the concept of IEDP can be recapitulated in one word: 
"impartation" . When detecting a scanning, IEDP gives the scanner bogus 
information to spoof and confuse him/her. So, for example, when scanning 
ports, the scanner will find that all ports are listening and 
can't tell which port is really open. IEDP also adopts a new 
mechanism called error steering to spoof the scanner IEDP randomly steers 
errors in communication with the scanner, let the scanner believe that the 
communication is unstable and give up scanning. Experiments show that IEDP 
system is efficient. (8- Refs)- 
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Abstract: Network security is an integral component of a multi-user 
distributed information environment. Firewall (FW) technology is a 
popular approach to build secure networks, and a plethora of FWs have been 
designed. Our research focuses on the placement of FWs (i.e. an operations 
research approach) in a large, complex network system, or a system of 
systems. A key contribution of this research is to propose the concept of a 
FW cascade, i.e. a chain of FWs, which could be placed in the path between 
a potential attack point and a network node with sensitive data. Among 
other benefits, the FW cascade offers two key benefits: (1) increased 
comprehensiveness (viz. address, port , service, user ID and 
direction) of security protection; and (2) most importantly, enhancing the 
degree of confidence that the network security engineer could expect from 
the underlying set of FWs and the overall end-to-end security protection 
that is achieved. This results in a novel capability, where a network 
security engineer can provide completeness and high confidence in the 
security attributes across the network. We propose a decomposition of the 
security characters of a FW and a suite of FW placement heuristics which 
allows us to place the FWs across the network while optimizing cost and 
maximizing security protection. Minimization of delay is another 
optimization goal. Performance is depicted using simulation. (5 Refs) 
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